From ad65222b8285c615e622c521eff4f27b0adba04b Mon Sep 17 00:00:00 2001 From: test2 Date: Wed, 13 Nov 2019 00:36:25 +0200 Subject: [PATCH] iptables --- sec/ex-3_iptables.adoc | 117 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 108 insertions(+), 9 deletions(-) diff --git a/sec/ex-3_iptables.adoc b/sec/ex-3_iptables.adoc index d4e2653..f90c916 100644 --- a/sec/ex-3_iptables.adoc +++ b/sec/ex-3_iptables.adoc @@ -380,29 +380,128 @@ First of all, our computer is not a router (unless, of course, it is a router). === Examples -We going to use Shorewall as an iptables configuration tool. See Appendix. +We are going to use Shorewall as an iptables configuration tool. See Appendix. -Here some examples of "raw" iptables command lines. +Here are some examples of "raw" iptables command lines. ==== Block Traffic by PortPermalink -You may use a port to block all traffic coming in on a specific interface. For example: +You may use a port to block all traffic coming in on a specific interface. +For example: + +[source,bash] +---- iptables -A INPUT -j DROP -p tcp --destination-port 110 -i eth0 +---- Let’s examine what each part of this command does: - -A will add or append the rule to the end of the chain. - INPUT will add the rule to the table. - DROP means the packets are discarded. - -p tcp means the rule will only drop TCP packets. - --destination-port 110 filters packets targeted to port 110. - -i eth0 means this rule will impact only packets arriving on the eth0 interface. +- **-A** will add or append the rule to the end of the chain. + + **INPUT** will add the rule to the table. + + **DROP** means the packets are discarded. + +- **-p tcp** means the rule will only drop TCP packets. +- **--destination-port 110** filters packets targeted to port 110. +- **-i eth0** means this rule will impact only packets arriving on the eth0 interface. +==== Drop Traffic + +In order to drop all incoming traffic from a specific IP address, use the iptables command with the following options: + +[source,bash] +---- +iptables -I INPUT -s 198.51.100.0 -j DROP +---- + +To remove these rules, use the **--delete** or **-D** option: + +[source,bash] +---- +iptables --delete INPUT -s 198.51.100.0 -j DROP +iptables -D INPUT -s 198.51.100.0 -j DROP +---- + + +==== Block or Allow Traffic by Port Number + +One way to create a firewall is to block all traffic to the system and then allow traffic on certain ports. + +Below is a sample sequence of commands to illustrate the process: + +[source,bash] +---- +iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +iptables -A INPUT -i lo -m comment --comment "Allow loopback connections" -j ACCEPT +iptables -A INPUT -p icmp -m comment --comment "Allow Ping to work as expected" -j ACCEPT +iptables -A INPUT -p tcp -m multiport --destination-ports 22,25,53,80,443,465,5222,5269,5280,8999:9003 -j ACCEPT +iptables -A INPUT -p udp -m multiport --destination-ports 53 -j ACCEPT +iptables -P INPUT DROP +iptables -P FORWARD DROP +---- + +Let’s break down the example above. + +The **first two** commands add or append rules to the **INPUT chain** in order to allow access on specific ports. + +The **-p tcp** and **-p udp** options specify either **UDP** or **TCP** packet types. + +The **-m** multiport function matches packets on the basis of their source or destination ports, and can accept the specification of up to 15 ports. + +Multiport also accepts **ranges such as 8999:9003** which counts as 2 of the 15 possible ports, but matches ports 8999, 9000, 9001, 9002, and 9003. + +The next command **allows all incoming** and **outgoing packets** that are associated with existing connections so that they will not be inadvertently blocked by the firewall. + +The final two commands use the **-P** option to describe the **default policy** for these chains. As a result, all packets processed by **INPUT** and **FORWARD** will be dropped by default. + +[NOTE] +==== +Note that the rules described above only control incoming packets, and do not limit outgoing connections. +==== + +=== More Examples + +[source,bash] +---- +# Allow all loopback (lo0) traffic and reject traffic +# to localhost that does not originate from lo0. +-A INPUT -i lo -j ACCEPT +-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT + +# Allow ping. +-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT + +# Allow SSH connections. +-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT + +# Allow HTTP and HTTPS connections from anywhere +# (the normal ports for web servers). +-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT +-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT + +# Allow inbound traffic from established connections. +# This includes ICMP error returns. +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + +# Log what was incoming but denied (optional but useful). +-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7 + +# Reject all other inbound. +-A INPUT -j REJECT + +# Log any traffic that was sent to you +# for forwarding (optional but useful). +-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7 + +# Reject all traffic forwarding. +-A FORWARD -j REJECT +---- [appendix]